What you have, what you know… and who you are

I wrote in my last post about two step authentication (aka two factor authentication, two factor verification, TFA, 2FA, etc, etc). In other words, your online identity has to be verified by two steps – what you know (a password) and what you have (a one-time code, generated by Google Authenticator, for example). There is a third option: who you are. That suggests some form of biometrics. Now we can choose two from three.

In the spirit of experimentation, rather than paranoia, I tried adding a third level to my mobile phone. I have a 3 year old phone. I can’t do fingerprint recognition, but it has two cameras and a microphone. There are various apps that will do face and voice recognition. I chose one that does both of these. I’m not going to name names, because I don’t think it’s fair, but after a week of playing, I gave up!

Problem 1: face recognition is fine in principle. It works if the lighting is good. I could lock appropriate apps, such as Google Authenticator. The drawback is that the light is not always good. In practice, I kept finding myself with my back to a light, or in front of a window, or simply in a badly lit room.

And problem 2 is that speaking a phrase to a phone just seems odd. Every time I wanted to unlock something, I ended up typing in a PIN, as the fallback option. This kind of defeats the point.

In summary, I gave up because the pain outweighed any benefits. That’s not, however, to say that biometrics are a bad idea. Apple, in particular, seem keen to push for biometric identification to replace passwords. They don’t appear to be pushing for biometrics plus something (2FA), however, which doesn’t seem, to me, to be the right way to go.

There are a number of interesting questions here, that I will return to, in a slightly different context, at a later date. First, what biometrics should we use? Face and voice recognition are easy to support in laptaps and phones. These devices have forward-facing cameras and microphones. Fingerprint recognition requires special scanners. Iris recognition needs special hardware, too. Second, what constitutes a unique identity? How unique are fingerprints? The short answer is that nobody knows. Related to this is the question of what is being measured. A fingerprint is not a digital code. It’s a measure of particular features, subject to a certain resolution. The same applies to irises, faces, voices and DNA.

Finally, even if a biometric pattern is unique now, will it stay the same with time? We all know (unfortunately) that our faces change with time. How about our fingerprints and even our DNA? Do the distinguishing features remain the same over many years? I suspect not.

Ultimately, I think we are going to go in the direction of who you are plus something else. That raises some interesting questions about how we can validate what’s connected to the internet. It’s not just people, but things – how can we know that a smart meter is just a smart meter and not a Trojan?


One thought on “What you have, what you know… and who you are

  1. The Fingerprint recognition on my Galaxy S6 is supposed to work well, haven’t had the bottle to try it in case it malfunctions and locks me out. So a potentially useful security measures goes unused because of a lack of confidence in the robustness of the technology.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s